How to recover from a data breach
Think ahead
Published: 9 February 2009 17:19 GMT by Danny Bradbury
Show related articles
The best defence against hackers trying to steal corporate data is a whole lot of preparation, says Danny Bradbury.
These days the headlines are full of stories about data being stolen from major organisations - in both the private and public sector.
Though every exec hopes they'll never experience such an incident, it's best to be prepared, just in case.
So what do you do after a data breach?
As with disaster recovery, you need a playbook, ready and waiting. "It may not be more than a couple of sides of A4 but you need something in advance," says Paul Vlissidis, technical director at security consulting firm NCC Group SecureTest.
Otherwise, the situation will quickly descend into panic. "I've had everything from people simply pulling the network cable out the back of a live web server, through to doing nothing at all and leaving it, thinking it will all be OK in a couple of days," he says. If the story hits the press and the IT manager was sitting on the breach to protect his job, the company could be in even deeper trouble.
Unfortunately there's no standard playbook for incident management, even the PCI-DSS specification, normally quite prescriptive, carries only general information about an incident response plan (which is listed under requirement 12.9 in the latest version of the spec).
It may not be ratified as a standard but such a playbook does exist in Canada - and provides useful information that could well be used in other countries too. The Privacy Commissioner has outlined the key steps, broken down into four key steps: breach containment and preliminary assessment; evaluation of the risks associated with the breach; notification; and prevention.
But those steps will only work if you have the right contacts organised ahead of time, according to Vlissidis. "You need some people in there that will be responsible for certain tasks," he says. Key contacts may include not only people in your own company from areas such as the legal department, human resources and marketing, but also someone with your ISP or software provider.
Breach containment isn't always as easy as patching a piece of software, warns Bruce Potter, founder of security consulting firm Ponte Technologies and organiser of the recent ShmooCon security conference. Without proper audit logs, many companies may not even be able to tell how the breach occurred, he says. All software may have been patched, and everything may look normal, save for the fact that someone just posted your customer database on a BitTorrent site.
Proper audit logs will give you a forensic foothold to track the source of the breach and shut it down. "What I see nine times out of 10 is that most organisations don't have a complete enough audit record to know what files and systems were compromised and shipped out," says Potter.
You also need some kind of investigation capability, says Vlissidis. Companies have to walk a fine line between containing the breach, and ensuring that compromised systems are left as untouched as possible so that forensic investigators can find a perpetrator and build a legal case against them.
Notification is a tricky problem, because of regulatory issues. The UK and Europe, for example, don't currently require companies to notify their customers. Although that could change soon if amendments to the European ePrivacy directive are approved, notification rules might only apply to ISPs and telcos.
Nevertheless, UK companies may have customers in one of the 44 US states that do have a mandatory notification rule - and thus will likely notify all customers. Ariane Siegel, partner of solicitor Gowlings, says companies that are subject to these laws generally apply them to all customers, wherever they are - and won't treat foreign customers differently than local ones, for instance. "Most companies are just going to comply with the highest standard applicable to them," she says.
Notification normally means a letter and email but companies don't always take those measures. A spokesperson for job site Monster.com, which recently suffered a data breach, says: "Monster elected not to send email notifications to avoid the risk that those emails would be used as a template for phishing emails that target our job seekers and customers."
The firm contented itself with posting a notice on its website warning people of the breach, which included the loss of Monster user IDs and passwords, email addresses, names, phone numbers and some "basic demographic data".
"Monster believes that the combination of onsite notification and password changes is the safest and most effective way to address the situation," the spokesperson said.
The specifics of your data breach plans will depend on the exact nature of both your business, and the breach. Things to consider include whether your industry regulator demands notification and the nature of the stolen data. Also: How localised was the breach? Was it perpetrated via a third party contractor, or in-house? All of these will inform your actions.
But the important thing is to consider such options ahead of time - and prepare, prepare, prepare.
Reader Comments (0)